I know very little about Windows domains and Group Policy. However, if you use Group Policy to set a requirement that PCs joining your domain have to download and run a program, then by default that applies to all PCs joining the domain, right -- even a brand-new machine from the store, if you bring it in to work and join it to the domain where the Group Policy is set?

So -- is it also a correct statement that Group Policy is not a reliable way to ensure that a given program is run on a computer when a user joins a domain -- not if users have local admin on their machine?

(This would seem like a specific case of the general principle that there's no such thing as a trusted client -- if users are administrators on their local machine, then the network administrator can't reliably force anything to happen on the user's machine.)

1 Answer
1

For cases where the user is local admin, you are correct. There are numerous ways that the user could prevent execution in that case, even without blocking group policy stuff from taking effect generally.

If you only need the program to run once, you can simply run it before handing it over to the employees / users, but if they have local admin they can always unwind any the changes you made, too...